Method for 802.1X Authentication, Access Device and Access Control Device

1. A method for 802.1X authentication, used in a network that comprises an access device and an access control device, wherein a Wireless Local Area Network (WLAN) security template is enabled at the access device, an 802.1X client template is enabled at the access device to perform functions of an 802.1X client, and an 802.1X device template is enabled at a tunnel port of the access control device to perform functions of an 802.1X device, the method comprising: establishing, by the access control device, an 802.1X authentication tunnel with an access device, receiving, by the access control device, an 802.1X protocol packet transmitted by a client at the access control device through the 802.1X authentication tunnel; authenticating, by the access control device, the client after receiving the packet; and assisting, by the access control device, the access device through the 802.1X authentication tunnel to obtain a session key, wherein the assisting, by the access control device, the access device through the 802.1X authentication tunnel to obtain the session key comprises: transmitting, by the access control device, a pairwise master key obtained from the authentication process to the access device through the 802.1X authentication tunnel, whereby the access device performs a key negotiation with the client by using the pairwise master key to obtain the session key; or performing, by the access control device, the key negotiation with the client via the access device through the 802.1X authentication tunnel by using the pairwise master key obtained from the authentication process, and transmitting the session key obtained from the key negotiation process to the access device through the 802.1X authentication tunnel.

2. The method of claim 1 , wherein the 802.1X authentication tunnel is established after a Wireless Local Area Network (WLAN) security template is enabled at the access device, or when the access device receives an 802.1X authentication protocol packet for the first time from the client.

3. The method of claim 1 , wherein: the network comprises a backup access control device which establishes a backup 802.1X authentication tunnel with the access device and the 802.1X device template is enabled at the backup access control device; and the method further comprises synchronizing, by the access control device, information exchanged between the access control device and the access device to the backup access control device in real time, whereby the backup access control device replaces the access control device when the main 802.1X authentication tunnel is unavailable.

4. The method of claim 1 , wherein the access device is one of an Access Controller (AC) and a FAT Access Point (AP).

5. The method of claim 1 , wherein the access control device is one of a Broadband Access Server (BAS) and a Broadband Remote Access Server (BRAS).

6. A non-transitory computer readable storage medium encoded with executable instructions for execution by a processor of an access control device to: establish, by the access control device, an 802.1X authentication tunnel with an access device, wherein a Wireless Local Area Network (WLAN) security template is enabled at the access device, an 802.1X client template is enabled at the access device to perform functions of an 802.1X client, and an 802.1X device template is enabled at a tunnel port of the access control device to perform functions of an 802.1X device; receive, by the access control device, an 802.IX protocol packet transmitted by a client through the 802.1X authentication tunnel; authenticate, by the access control device, the client after receiving the 802.1X protocol packet; and assist, by the access control device, the access device through the 802.1X authentication tunnel to obtain a session key, wherein the assisting, by the access control device, the access device through the 802.1X authentication tunnel to obtain the session key comprises: transmitting, by the access control device, a pairwise master key obtained from the authentication process to the access device through the 802.1X authentication tunnel, whereby the access device performs a key negotiation with the client by using the pairwise master key to obtain the session key; or performing, by the access control device, the key negotiation with the client via the access device through the 802.1X authentication tunnel by using the pairwise master key obtained from the authentication process, and transmitting/receiving the session key obtained from the key negotiation process to the access device through the 802.1X authentication tunnel.

7. A method for 802.1X authentication, used in a network that comprises an access device and an access control device, wherein a Wireless Local Area Network (WLAN) security template is enabled at the access device, an 802.1X client template is enabled at the access device to perform functions of an 802.1X client, and an 802.1X device template is enabled at a tunnel port of the access control device to perform functions of an 802.1X device, the method comprising: establishing, by the access device, an 802.IX authentication tunnel with the access control device; receiving, by the access device, an 802.IX protocol packet transmitted by a client, and transmitting the 802.1X protocol packet to the access control device through the 802.1X authentication tunnel, whereby the access control device authenticates the client according to the 802.1X protocol packet received from the access device; and obtaining, by the access device, a session key under assistance from the access control device through the 802.1X authentication tunnel, wherein the obtaining, by the access device, the session key under assistance from the access control device through the 802.1X authentication tunnel comprises: receiving, by the access device, a pairwise master key transmitted by the access control device through the 802.1X authentication tunnel, and performing a key negotiation with the client by using the pairwise master key to obtain the session key; or receiving, by the access device, the session key transmitted by the access control device through the 802.1X authentication tunnel.

8. The method of claim 7 , wherein the 802.1X authentication tunnel is established after a Wireless Local Area Network (WLAN) security template is enabled at the access device, or when the access device receives an 802.1X authentication protocol packet for the first time from the client.

9. The method of claim 7 , wherein the access device is one of an Access Controller (AC) and a FAT Access Point (AP).

10. A non-transitory computer readable storage medium encoded with executable instructions for execution by a processor of an access device to: establish, by the access device, an 802.1X authentication tunnel with the access control device, wherein a Wireless Local Area Network (WLAN) security template is enabled at the access device, an 802.1X client template is enabled at the access device to perform functions of an 802.1X client, and an 802.1X device template is enabled at a tunnel port of the access control device to perform functions of an 802.1X device; receive, by the access device, an 802.IX protocol packet transmitted by a client, and transmit the 802.1X protocol packet to the access control device through the 802.1X authentication tunnel, whereby the access control device authenticates the client according to the 802.1X protocol packet received from the access device; and obtain, by the access device, a session key under assistance from the access control device through the 802.1X authentication tunnel, wherein the obtaining, by the access device, the session key under assistance from the access control device through the 802.1X authentication tunnel comprises: receiving, by the access device, a pairwise master key transmitted by the access control device through the 802.1X authentication tunnel, and performing a key negotiation with the client by using the pairwise master key to obtain the session key; or receiving, by the access device, the session key transmitted by the access control device through the 802.1X authentication tunnel.

11. An access device, which has a Wireless Local Area Network (WLAN) security template enabled and is connected to an access control device through an 802.1X authentication tunnel, and wherein an 802.1X client template is enabled at the access device such that the access device performs functions of an 802.1X client and an 802.1X device template is enabled at a tunnel port of the access control device such that the access control device performs functions of an 802.1X device, the access device comprising a first module, a second module, and an 802.1X authentication tunnel port, wherein: the first module is configured to receive a packet transmitted by a client, and transmit the packet to the access control device via the 802.1X authentication tunnel port through the 802.1X authentication tunnel when the packet is determined as an 802.1X protocol packet, the access control device authenticating the client according to the packet received from the first module; and the second module is configured to obtain a session key under assistance from the access control device through the 802.1X authentication tunnel, wherein the second module is configured to: receive a pairwise master key transmitted by the access control device through the 802. IX authentication tunnel, and perform a key negotiation with the client by using the pairwise master key to obtain the session key; or receive the session key transmitted by the access control device through the 802.IX authentication tunnel.

12. The access device of claim 11 , wherein the access device is one of an Access Controller (AC) and a FAT Access Point (AP).

13. The access device of claim 11 , wherein the access device begins to establish the 802.1X authentication tunnel with the access control device when the access device receives an 802.1X authentication protocol packet for the first time from the client.

14. An access control device, which is connected with an access device through an 802.1X authentication tunnel, and wherein an 802.1X client template is enabled at the access device such that the access device performs functions of an 802.1X client and an 802.1X device template is enabled at a tunnel port of the access control device such that the access control device performs functions of an 802.1X device, the access control device comprising a first module, a second module, and an 802.1X authentication tunnel port, wherein: the first module is configured to receive an 802.1X protocol packet transmitted by a client from the access device through the 802.1X authentication tunnel via the 802.1X authentication tunnel port, authenticate the client according to the 802.1X protocol packet, and transmit a pairwise master key obtained during authentication to the second module when the client passes the authentication; and the second module is configured to assist the access device through the 802.1X authentication tunnel to obtain a session key, wherein the second module is configured to: transmit the pairwise master key transmitted by the first module to the access device through the 802.1X authentication tunnel, whereby the access device can perform a key negotiation with the client by using the pairwise master key to obtain the session key; or directly perform the key negotiation with the client via the access device through the 802.1X authentication tunnel by using the pairwise master key, and transmit the session key obtained by the key negotiation to the access device through the 802.1X authentication tunnel.

15. The access control device of claim 14 , wherein the access control device is one of a Broadband Access Server (BAS) and a Broadband Remote Access Server (BRAS).

16. The access control device of claim 14 , further comprising a third module configured to save information exchanged by the first module and second module with the access device into another access control device having a backup relation with the access control device.